Microsoft SIEM and XDR Weekly Wrap - Issue #3
WW2045
Things from Me
Happy Friday all!
After a week off due to the US holidays, we’re back! For those in the US that took some time off, I hope you had enough enjoyment that coming back to work this week seems less stressful. Here at Microsoft, things have ramped up quickly after just celebrating the end and start of fiscal years. It’s been so busy I’ve been taking meetings during my outside runs this past week. I’d like to publicly apologize to those of you that thought you were receiving creep calls from the heavy breather. It was just me trying to manage time, work, and fitness.
…
This week’s newsletter issue is all about Entra. We’ve made some significant announcements for GA releases, so make sure to check out the Entra section of the newsletter.
But I wanted to highlight one of the more interesting items here in the commentary. If you get a chance, check out:
…and let me know what you think. This is an important note that hasn’t gotten as much attribution as it should and could very well solve some of those burning questions you still have about IAM.
…
Last newsletter issue, I talked about a thing I did in that I released my first fiction novel called Sword of the Shattered Kingdoms: Ancient Crystal of Eldoria. At the time, I also eluded that I was working on a couple books. So, while this first release is in the fantasy vein, I have another book releasing on August 2nd that is squarely in the Sci-Fi arena. The new book is titled WW2045: Alien Revenge. It’s now available for pre-order from Amazon.
I’ll be taking a brief break from fiction books for a while as I just started another technical book. This one about Copilot for Security.
…
That’s it from me for this week.
Talk soon.
-Rod
Stuff to Attend
Wednesday, July 31, 2024 10:00 AM–11:00 AM Pacific Time - Zero Trust in the Age of AI - Learn how to bolster your Zero Trust strategy with innovative solutions that’ll help you stay ready for changes to the threat landscape at the Zero Trust in the Age of AI spotlight on July 31.
Things that are Related
Microsoft Cloud Security: Top 10 low-hanging fruits - Almost every modern organization, regardless of startup or established enterprise has Microsoft 365 or Azure services in place to fulfill IT requirements and operations.
Things to Watch/Listen To
Things in Techcommunity
Why FQDN resolution gets affected when Network Protection is in disabled state. - Why FQDN resolution gets affected when Network Protection is in disabled state? Is it forcing user to use Network Protection? Isn't disable state for not interfering with Network?
Unified Portal - Sentinel incident losing set tactics - Just trialing the unified portal, and incidents in Sentinel seem to lose any tactics set via the analytic rule. Plus, the resulting incident has a slightly different title, assume after being converted to 'Defender speak'.
Unified Security Operation Sentinel Vs Defender Tables - I have a question regarding the Unified SOC portal. In the session below, they highlighted one advantage: the ability to use Defender and Sentinel Tables together. However, both the SignInLogs and DeviceLogonEvent tables are already accessible in Sentinel through the Defender connector. Am I missing something, or did they use an incorrect example to demonstrate an advantage that Sentinel already provides?
Copilot for Security Things
Special post from THE PROMPT (the Copilot for Security newsletter):
Using X/Twitter as a Source for Copilot for Security Intelligence - There’s a lot of great information on X/Twitter that can be used as a source of information for Copilot for Security. X/Twitter removed built-in RSS functionality, but the RSS.app service can be used to generate several types of feeds based on hashtags, accounts, searches, etc. Each feed provides differently formatted results with different content.
Microsoft Sentinel Things
Using Cribl Stream to ingest logs into Microsoft Sentinel - On 06 May 2024 it was announced by Microsoft here and by Cribl here that together, Microsoft and Cribl are working to drive accelerated SIEM migrations for customers looking to modernize their security operations (SecOps) with Microsoft Sentinel.
Configuring Microsoft Sentinel archive period for tables at Mass for Data Retention within Log Analytics Workspace - Last year, I released a post highlighting the importance and differences of Log Tiers in Log Analytics Workspaces for Microsoft Sentinel. In this post, we'll explore how to bulk configure your Archive Settings within a LAWS environment, enabling an easy setup for low-cost archive logs.
Quick Tip: Expanding All Microsoft Sentinel Console Headers - A recent change has proliferated to the Microsoft Sentinel console (the one that still exists in the Azure portal - not the one in the unified Defender console) that shows the Sentinel menu items in collapsed mode to start.
Unified Security Operations Platform - Technical FAQ! - In this blog, we dive into some of the most common questions and share best practices to expedite resolution, bring more clarity, and save valuable troubleshooting time.
Azure Sentinel Workbook/Dashboard: PurpleTeam Event Viewing Dashboard — quickly threat hunt and find test events! - Do you need a quick way to find and view events related to an exercise or an active attack? This dashboard allows you to quickly search and find log entries across several table types quickly.
Sentinel TI Upload Toolkit - The Sentinel TI Upload Toolkit contains a number of PowerShell functions and scripts to import Threat Intelligence IOCs into Microsoft Sentinel using the upload indicators API. For more details also see Reference the upload indicators API (Preview) to import threat intelligence to Microsoft Sentinel
Defender for Cloud Things
Deprecation: Reminder of deprecation for adaptive recommendations - Estimated date for change: August, 2024 - As part of the MMA deprecation and the Defender for Servers updated deployment strategy, Defender for Servers security features will be provided through the Microsoft Defender for Endpoint (MDE) agent, or through the agentless scanning capabilities. Both of these options won't depend on either the MMA or Azure Monitoring Agent (AMA).
Microsoft Purview Things
Leveraging insider risk visibility to strengthen your data security - Microsoft Purview Insider Risk Management correlates various signals, such as unusual access patterns and data exfiltration, to identify potential malicious or inadvertent insider risks, including IP theft, data leakage, and security violations. Insider Risk Management enables customers to create data handling policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
Microsoft Entra Things
The Microsoft Entra Suite and unified security operations platform are now generally available | Microsoft Security Blog - We’re announcing new capabilities to help accelerate your transition to a Zero Trust security model with the general availability of the Microsoft Entra Suite, the industry’s most comprehensive secure access solution for the workforce, and the general availability of Microsoft Sentinel within the Microsoft unified security operations platform, which delivers unified threat protection and posture management. These innovations make it easier to secure access, identify and close critical security gaps, detect cyberthreats, reduce response times, and streamline operations.
Microsoft Entra Suite now generally available - Today we announced the general availability of Microsoft Entra Suite - the industry’s most comprehensive secure access solution for the workforce. The Microsoft Entra Suite delivers the most comprehensive Zero Trust user access solution and enables organizations to converge access policy engine across identities, endpoints, and private and public networks.
Microsoft Security Service Edge now generally available - Today, we announced the general availability of the Microsoft Entra Suite which brings together identity and network access controls to secure access to any cloud or on-premises application or resource from any location. It consistently enforces least privilege access to achieve your governance requirements while improving your employee experience.
What’s new in Microsoft Entra – June 2024 - Have you explored the What's New in Microsoft Entra hub in the Microsoft Entra admin center? It's a centralized view of our roadmap and change announcements across the Microsoft Entra identity and network access portfolio so you can stay informed with the latest updates and actionable insights to strengthen your security posture.
Microsoft Entra certificate-based authentication enhancements - Today we're announcing the general availability of many improvements we introduced earlier this year – username bindings, affinity bindings, policy rules, and advanced CBA options in Conditional Access are all GA! I am also excited to announce the public preview of an exciting new capability - issuer hints. The issuer hints feature greatly improves user experience by helping users to easily identify the right certificate for authentication.
Authenticating Microsoft Entra ID using windows principal metadata - Public Preview - Today we’re announcing the public preview for Native Windows Principals for SQL Managed Instance. This capability simplifies the migration to SQL Managed Instance and unblock the migration of legacy applications that are tied to windows logins.
Understanding the essentials of identity and access management (IAM) | Microsoft Entra Identity Platform - In the digital age, identity and access management (IAM) is crucial for protecting data and ensuring that only authorized users, machines, and applications get access to the right resources, at the right time. It’s an essential part of ensuring secure and efficient system interactions. This blog post explores some of the core elements of identity and access management, offering insights into its critical role in cybersecurity.
Microsoft Purview Things
Dynamic watermarking hits the mark in protecting highly sensitive data - Today at Inspire, we are excited to announce the public preview of a new Information Protection capability for Microsoft 365 Office Word, Excel, and PowerPoint files called dynamic watermarking. This highly requested capability enables system admins to configure Purview sensitivity labels that visually displays the reader’s email address and date/timestamp information over the file content to attribute and deter leaks. This is now available to any customers who need to protect high-value Intellectual Property (IP) in various industries.